GDS weighs in on the NHS's decision to retreat from Open Source
3 days ago
- #NHS England
- #Government Digital Service
- #Open Source
- The UK Civil Service phrase 'invited to a meeting without biscuits' refers to a frosty discussion without normal polite niceties, though public disagreements are rare.
- NHS England closed all Open Source repositories due to unfounded AI hacking fears, sparking outrage and a petition with over 2,000 signatures.
- Government Digital Service (GDS) published guidance 'AI, open code and vulnerability risk in the public sector,' brutally repudiating NHS England's stance.
- GDS argues that making code private creates a false sense of security and does not address underlying issues like lack of ownership or patching capability.
- Closing repositories can become a permanent, ineffective fix, and hiding code may not prevent access by capable adversaries due to mirroring or forking.
- GDS emphasizes that coding in the open promotes high-quality, secure work and that security is a shared responsibility requiring proper resources.
- NHS England's decision appears to be an overreaction by a small group to a report on vulnerabilities, contrary to internal guidance and best practices.
- The author hopes GDS's guidance will align NHS England with best practices or that GDS reasserts its authority to veto such decisions.
- Budget cuts have eliminated biscuits at meetings, affecting morale, and NHS England has shut down nearly 200 repositories, with more possibly to come.